25M Americans Exposed: The Conduent Government Data Breach

A March 2026 breach report highlighted the growing impact of a data breach at government contractor Conduent, affecting over 25 million Americans. The breach, attributed to the SafePay ransomware group, exposed 8.5 terabytes of data including Social Security numbers, medical records, and health insurance details. States like Oregon (10.5 million) and Texas (15.4 million) account for a significant portion of the victims.

25M Americans Exposed: The Conduent Government Data Breach

A major data breach at Conduent, a company that processes sensitive information on behalf of government agencies, has exposed the personal records of more than 25 million Americans. The breach, carried out by the SafePay ransomware group, resulted in 8.5 terabytes of stolen data, including Social Security numbers, medical records, and health insurance details. If you live in Oregon or Texas, the odds are particularly high that your information was caught up in this incident.

This breach is a stark reminder that your personal data doesn't just sit on your own devices. It lives inside the systems of contractors, processors, and third-party vendors you've never heard of, and whose security practices you have no control over.

Who Is Conduent and Why Does This Matter?

Conduent is a business process services company that handles administrative and data processing work for government agencies across the United States. That means it routinely handles the kind of information that is most sensitive: benefits data, health records, and Social Security numbers tied to real people's identities and financial lives.

When a company like Conduent suffers a breach, the consequences ripple far beyond a single agency or state. Oregon reported approximately 10.5 million affected residents. Texas reported around 15.4 million. Together, those two states alone account for a significant share of the 25 million total victims, but the breach likely touched residents across multiple states that have contracted with Conduent for government services.

The SafePay ransomware group claimed responsibility for the attack. Ransomware groups like this typically exfiltrate data before encrypting systems, giving them leverage to demand payment and the ability to sell or leak stolen records even if a ransom is paid.

The Real Risk: SSNs and Medical Records Don't Expire

Not all data breaches carry the same long-term risk. Stolen passwords can be changed. Compromised email addresses can be monitored. But Social Security numbers and medical records are a different category entirely.

Your Social Security number is effectively permanent. Once it's in the hands of a criminal, it can be used to open fraudulent credit accounts, file false tax returns, or commit medical identity theft, sometimes years after the original breach. Medical records add another layer of exposure, revealing conditions, medications, and insurance details that can be exploited in insurance fraud or targeted phishing schemes.

This is why the Conduent breach deserves more attention than a typical credential leak. The data involved is the kind that fuels identity theft for years, not just the weeks following an incident.

What This Means For You

Even if you never directly interacted with Conduent, your data may have passed through their systems if you received government benefits, healthcare coverage, or social services in an affected state. Here's what you should consider doing now:

Check breach notification letters. If you're an Oregon or Texas resident, watch for official notifications from state agencies about whether your records were involved.
Place a credit freeze. A credit freeze at all three major bureaus (Equifax, Experian, and TransUnion) is one of the most effective ways to block fraudulent account openings using your SSN.
Monitor your explanation of benefits (EOB) statements. Medical identity theft often shows up as unfamiliar claims or providers on your health insurance statements.
Be alert to targeted phishing. Attackers who hold your personal details can craft convincing emails or calls that appear to come from government agencies or insurers. Treat unsolicited contact with healthy skepticism.
Use strong, unique passwords and enable two-factor authentication on any accounts linked to government services or healthcare portals.

It's also worth thinking more broadly about your digital privacy habits. Breaches like this one are increasingly common, and the data exposed often ends up on dark web marketplaces where it gets packaged and resold. Limiting your overall exposure, through strong privacy practices and tools that reduce how much of your activity can be tracked or intercepted, is a reasonable response to a world where large-scale breaches have become routine.

Third-Party Risk Is Everyone's Problem

The Conduent breach is part of a broader pattern. Government agencies and large institutions routinely delegate data processing to contractors, and those contractors can present a weaker link in an otherwise secure chain. As an individual, you have almost no visibility into which vendors hold your information or how well those vendors protect it.

That's a frustrating reality, but it does reinforce why taking ownership of your own privacy matters. Using a VPN like hide.me won't prevent a government contractor from being breached, but it is one layer in a broader approach to keeping your online activity private, particularly when you're on public or shared networks where your data is most exposed. Building privacy-first habits, including encrypted browsing, careful account hygiene, and staying informed about breaches that affect you, is a practical response to a threat landscape you can't fully control.

The 25 million Americans caught up in the Conduent breach didn't do anything wrong. Their data was simply held by an organization that became a target. The best defense is staying informed, acting quickly when breaches occur, and making personal data privacy a regular habit rather than an afterthought.